Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?

  • Mathias Herrmann
  • Alexander May
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


We look at iterated power generators \(s_i = s_{i-1}^e {\rm mod} N\) for a random seed s 0 ∈ ℤ N that in each iteration output a certain amount of bits. We show that heuristically an output of \((1-\frac 1 e)\log N\) most significant bits per iteration allows for efficient recovery of the whole sequence. This means in particular that the Blum-Blum-Shub generator should be used with an output of less than half of the bits per iteration and the RSA generator with e = 3 with less than a \(\frac 1 3\)-fraction of the bits.

Our method is lattice-based and introduces a new technique, which combines the benefits of two techniques, namely the method of linearization and the method of Coppersmith for finding small roots of polynomial equations. We call this new technique unravelled linearization.


power generator lattices small roots systems of equations 


  1. 1.
    Ben-Or, M., Chor, B., Shamir, A.: On the cryptographic security of single rsa bits. In: STOC, pp. 421–430. ACM, New York (1983)Google Scholar
  2. 2.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.: Reconstructing noisy polynomial evaluation in residue rings. J. Algorithms 61(2), 47–59 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer [11], pp. 178–189Google Scholar
  6. 6.
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer [11], pp. 155–165Google Scholar
  7. 7.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent rsa vulnerabilities. J. Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Fischlin, R., Schnorr, C.-P.: Stronger security proofs for rsa and rabin bits. J. Cryptology 13(2), 221–244 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Jutla, C.S.: On finding small solutions of modular multivariate polynomial equations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 158–170. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  10. 10.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Annalen 261(4), 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Maurer, U.M. (ed.): EUROCRYPT 1996. LNCS, vol. 1070. Springer, Heidelberg (1996)zbMATHGoogle Scholar
  12. 12.
    Nguyen, P.Q., Stehlé, D.: Floating-point lll revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Nguyên, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Steinfeld, R., Pieprzyk, J., Wang, H.: On the provable security of an efficient rsa-based pseudorandom generator. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 194–209. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Mathias Herrmann
    • 1
  • Alexander May
    • 1
  1. 1.Horst Görtz Institute for IT-Security, Faculty of MathematicsRuhr University BochumGermany

Personalised recommendations